Vulnerable WordPress Plugins Report for the Weeks of November 17 through November 30, 2018

Vulnerable Plugins

A weekly report on a Monday? Yeah. There were a lot of disclosures during the Thanksgiving week to sort through. Unfortunately, the vast majority of them were false positives and/or inaccurate and it took much longer for me to go over them than I anticipated.

Other Security News

The last two week have been full of security related news. First, RIPS Technologies revealed details behind a Remote Code Execution vulnerability via phar deserialization in phpBB, version 3.2.3 and earlier. phpBB has released v3.2.4 which fixes the vulnerability. Next, it was revealed the US Postal Service had exposed data from 60 million of its customers via a broken API. Not to be outdone, Marriott revealed that some 500 million customers records from its Starwood properties had been breached in September of this year. Researchers at Tenable revealed that a vulnerability in Zoom’s desktop conference application could allow an attacker to spoof messages, hijack screen controls and kick other attendees out of meetings. Zoom has released an update that corrects the vulnerability. Last, it was revealed that a popular npm package, event-stream, had had crypto-stealing code injected into it back in September.

While on break last week, I spent some checking out some new tools. XSS Fuzzer is a Cross-Site Scripting fuzzing utility written in html, css, and javascript. XSStrike is a Cross Site Scripting detection suite (and a great article on using Burp Suite, WFuzz, and XSStrike to find XSS vulnerabilities in applications). XSShell, a cross-site scripting reverse shell (which reminds me a little bit of the Xenotix XSS Exploit Framework). Last is a new static-analysis tool for PHP, PHPStan (hat-tip to David Needham for telling me about it).